T 5.84 Forged certificates

The purpose of certificates is to link a public cryptographic code to a person. The link of a code to the name of a person is then protected cryptographically using the digital signature of a reliable neutral organisation. These certificates are then used by a third person to check digital signatures of the person identified in the certificate or to send this person data with the code recorded in the certificate.

If such a certificate is forged, false signatures seem to be correct when checked and are associated with the person in the certificate or data is encoded and sent with a code which may be insecure. Both opportunities for attack may induce a perpetrator to bring forged certificates into circulation.

Forged certificates can be produced in various ways:

• Internal perpetrators from the neutral organisation create a certificate with false entries using their own signature code. This certificate is authentic and is verified to be correct when tested.
• Perpetrators pretend to be someone else and demand a certificate which is made out to this person, although the perpetrators are in possession of the secret code which corresponds with the public code.
• Perpetrators produce a certificate and sign it with a code of their own. The forgery is only noticed if the certificate is tested and it is possible to determine that the certificate was made out by an unreliable organisation.

Once perpetrators have somehow got hold of a certificate with incorrect entries, they can pretend to be someone else when communicating with peers at any time, both when sending and when receiving messages.